WO2012159366A1 - Data management method and device - Google Patents

Data management method and device Download PDF

Info

Publication number
WO2012159366A1
WO2012159366A1 PCT/CN2011/077971 CN2011077971W WO2012159366A1 WO 2012159366 A1 WO2012159366 A1 WO 2012159366A1 CN 2011077971 W CN2011077971 W CN 2011077971W WO 2012159366 A1 WO2012159366 A1 WO 2012159366A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
identification code
data
signature
hash value
Prior art date
Application number
PCT/CN2011/077971
Other languages
French (fr)
Chinese (zh)
Inventor
王永宏
李修奕
张明
周为民
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2011/077971 priority Critical patent/WO2012159366A1/en
Priority to CN2011800016409A priority patent/CN103098502A/en
Publication of WO2012159366A1 publication Critical patent/WO2012159366A1/en
Priority to US14/145,455 priority patent/US20140115697A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity

Definitions

  • the present invention relates to communication technologies, and in particular, to a data management method and apparatus.
  • the security booting technology can implement operator-to-terminal data management.
  • the specific process of implementing the carrier-to-terminal data management by the secure boo t technology includes: generating an initial carrier identification code and a corresponding program image in the flash memory of the terminal according to the lock network requirement of the terminal; and based on the initial operation in the flash memory
  • the merchant identification code and the program image generate a signature, and the signature is rewritable; when the terminal is started, the carrier identifier and the program image in the flash memory are hashed by a hash algorithm preset by the terminal to obtain a hash value; Detecting whether the signature is consistent with the hash value. If they are consistent, the initial carrier identifier of the program and the flash memory is not illegally changed; and the usage right of the terminal is determined according to the detection result.
  • the illegal user can use the program image of the terminal of the other operator customized with the same hardware configuration, and replace the terminal of the terminal.
  • the program image is difficult to be detected, the operator's customer is lost, causing the operator's loss.
  • the embodiment of the present invention provides a data management method and apparatus, which can detect that an illegal user replaces a program image of the terminal with a program image of a terminal customized by another operator having the same hardware configuration.
  • a data management method including: acquiring an operator identifier of the terminal and a preset terminal identifier, where the terminal identifier is unrewritable and corresponding to the terminal;
  • the hash algorithm is configured to perform a hash operation on the first data to obtain a first hash value, where the first data includes the terminal identifier and the operator identifier; and the detected signature and the first hash value If the result is consistent, the detection result is obtained, the signature is pre-generated according to the terminal identification code and the initial operator identification code, and the initial operator identification code is pre-generated by the terminal; The usage rights of the terminal.
  • a data management apparatus including:
  • a data acquisition module configured to acquire an operator identification code of the terminal and a preset terminal identification code, where the terminal identification code is not rewritable and corresponds to the terminal
  • a hash value obtaining module configured to perform hashing on the first data by using a preset hash algorithm, to obtain a first hash value, where the first data includes a terminal identifier and a carrier acquired by the data acquiring module Identifier;
  • a first detecting module configured to detect whether the signature is consistent with the first hash value obtained by the hash value obtaining module, and obtain a detection result, where the signature is pre-generated according to the terminal identifier and the initial carrier identifier The initial carrier identifier is pre-generated by the terminal;
  • the authority determining module is configured to determine the usage right of the terminal according to the detection result obtained by the first detecting module.
  • the data management method and device provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detecting whether the first hash value is consistent with the pre-generated signature And determining the usage rights of the terminal according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image.
  • the embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, causing the operator's customer to be lost and causing the loss of the operator. .
  • FIG. 1 is a flowchart of a data management method according to Embodiment 1 of the present invention.
  • FIG. 2 is a flowchart of a data management method according to Embodiment 2 of the present invention.
  • FIG. 3 is a flowchart of a data management method according to Embodiment 3 of the present invention.
  • FIG. 4 is a schematic structural diagram 1 of a data management apparatus according to Embodiment 4 of the present invention.
  • FIG. 5 is a schematic structural diagram 2 of a data management apparatus according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic structural diagram 3 of a data management apparatus according to Embodiment 4 of the present invention.
  • the embodiment of the present invention provides a data management method and apparatus.
  • Step 101 Obtain an operator identifier of the terminal and a preset terminal identifier.
  • the operator identification code in step 101 is used to associate with an operator, including a Public Land Mobile Network (PLMN) identifier; it may be rewritable, and the carrier identifier may be passed. Establish an association with the operator.
  • the operator identification code in step 101 may be related to the operator network; for different carrier networks, the carrier identification code is different.
  • the carrier identification code may be a PLMN identification code or other identification code, and is not repeated here.
  • the terminal identification code preset in step 101 is not rewritable and corresponds to the terminal.
  • the terminal identification code is used to associate with the terminal in hardware; it can be set inside the chip of the terminal when the terminal is produced.
  • the operator identification code may be obtained from the data card of the terminal through the step 101, or the carrier identification code may be obtained from the flash memory of the terminal, and is not described here.
  • the data card of the terminal may be a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), or other types of user identification cards, which are not limited herein. .
  • Step 102 Perform a hash operation on the first data by using a preset hash algorithm to obtain a first hash value.
  • the first data in step 102 may include a terminal identifier and an operator identifier, and may also include other content such as security data, which is not limited herein.
  • the security data is data that prohibits other users from illegally modifying the tomb, and is used to perform functional restrictions on the terminal.
  • the hashing process of the first data by using a preset hash algorithm in step 102 may be implemented by setting a code corresponding to the hash algorithm in the terminal, or may be implemented by other methods. No longer here - repeat.
  • Step 103 Check whether the signature is consistent with the first hash value, and obtain a detection result.
  • the signature in step 103 is pre-generated according to the terminal identifier and the initial operator identifier, and the initial operator identifier is pre-generated by the terminal.
  • step 103 can directly detect whether the signature is consistent with the first hash value.
  • the signature is in the form of a hash-encrypted ciphertext, the signature needs to be decrypted first. Then, through step 103, it is detected whether the decrypted result is consistent with the first hash value.
  • Step 104 Determine, according to the detection result, the usage right of the terminal.
  • the terminal when the detection result obtained by step 103 is that the signature is consistent with the first hash value, the terminal has the usage right; according to the detection result, the terminal can be used normally.
  • the detection result obtained in step 103 is that the signature is inconsistent with the first hash value, the terminal does not have the use permission; according to the detection result, the terminal runs the error handler and cannot be used normally.
  • the data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image.
  • the embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
  • the data management method provided in Embodiment 2 of the present invention includes: Step 201: Generate an initial operator identification code in a flash memory of the terminal according to a lock requirement of the terminal.
  • the terminal manufacturer can generate an initial carrier identification code in the flash memory of the terminal through step 201 when the terminal is produced. After the initial operator identification code is generated in the flash memory of the terminal through step 201, the terminal manufacturer or user can obtain the modified carrier identification code according to the initial carrier identification code.
  • Step 202 Generate a signature according to the second data.
  • the signature is rewritable in the step 202
  • the second data may include the initial carrier identifier and the terminal identifier, and may include other content such as security data, which is not limited herein.
  • the process of generating a signature by step 202 may include adopting a preset The hash algorithm performs a hash operation on the second data, and the obtained second hash value is the signature; in order to improve the reliability of the signature, the second data may be hashed by a preset hash algorithm to obtain the first After the second hash value, the second hash value is encrypted, and the obtained ciphertext is the signature.
  • Step 203 to step 204 Obtain an operator identification code of the terminal and a preset terminal identification code, and perform hash operation on the first data by using a preset hash algorithm.
  • a preset hash algorithm For the specific process, reference may be made to step 101 to step 102 shown in FIG. 1, which is not repeated here.
  • Step 205 Check whether the signature is consistent with the first hash value, and obtain a detection result.
  • the signature is generated in step 205 according to the initial operator identification code and the terminal identification code, correspondingly, the first hash value is generated according to the operator identification code and the terminal identification code through step 204. If the signature is generated in step 205 according to the initial operator identification code, the terminal identification code, and the security data, correspondingly, the first hash value is determined by the operator according to the operator's identification of the 'J code, terminal identification. Code and security data generated.
  • the signature in step 205 is a second hash value obtained by hashing the second data by using a hash algorithm set in advance, it is detected in step 205 whether the signature is consistent with the first hash value.
  • the process is: detecting whether the second hash value is consistent with the first hash value; if the signature in step 205 is to hash the second data by using a preset hash algorithm to obtain the second hash value, The second hash value is encrypted, and the obtained ciphertext is detected by step 205.
  • the process of detecting whether the signature is consistent with the first hash value is: decrypting the signature to obtain a third hash value, and detecting the third hash value. Whether it is consistent with the first hash value, the detection result is obtained.
  • the signature when the public key corresponding to the private key encrypted by the second hash value is the public key in the root certificate, the signature can be directly decrypted by the public key of the root certificate;
  • the public key corresponding to the encrypted private key is the public key of the certificate in the flash memory of the terminal, in order to improve the security of the network communication, the public key of the certificate in the flash memory may be encrypted in advance to obtain the encrypted public key;
  • the process of decrypting the signature may include: the terminal first decrypts the encrypted public key by using the public key in the root certificate to obtain the public key of the certificate in the flash memory; and then the terminal performs the signature on the public key of the certificate in the flash memory. Decrypt.
  • Step 206 Determine, according to the detection result, the usage right of the terminal.
  • the specific process and Figure 1 Step 104 is similar, and is not repeated here.
  • the data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image.
  • the embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
  • the data management method provided in Embodiment 3 of the present invention includes: Step 301: Check whether the operator identification code in the data card of the terminal is consistent with the operator identification code in the flash memory of the terminal.
  • the operator identification code in the data card of the terminal and the operator identification in the flash memory of the terminal may be first detected in step 301. Whether the codes are consistent. When it is determined in step 301 that the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal, the operator identification code and the terminal identification code may be obtained through step 302. Optionally, when the terminal is determined through step 301 When the carrier ID in the data card is inconsistent with the carrier ID in the flash memory of the terminal, the terminal can run an error handler and cannot be used normally.
  • Step 302 When the carrier identifier in the data card is consistent with the carrier identifier in the flash memory, obtain the operator identifier of the terminal and the terminal identifier set in advance.
  • the specific process is similar to step 101 shown in Figure 1, and is not repeated here.
  • Step 303 to step 305 performing a hash operation on the first data, and after obtaining the first hash value, detecting whether the signature is consistent with the first hash value, and determining the usage right of the terminal according to the detection result.
  • the specific process is similar to step 102 to step 104 shown in FIG. 1, and is not repeated here.
  • the data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for illegal users to use The signature of the terminal customized by other operators replaces the signature of the terminal, and the program image of the terminal is replaced with the program image can be detected.
  • the embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
  • the data management apparatus includes: a data acquisition module 401, configured to acquire a carrier identifier of a terminal and a preset terminal identifier, where the terminal identifier is not rewritable and is connected to the terminal. --corresponding.
  • the operator identification code in the data acquisition module 401 is used to associate with the operator, including the PLMN identification code; it may be rewritable, and the operator identification code may be used to establish an association with the operator.
  • the operator identification code in the data acquisition module 401 can be related to the operator network; the carrier identifier is different for different carrier networks.
  • the carrier identification code may be a PLMN identification code or other identification code, and is no longer referred to herein.
  • the terminal identification code preset in the data acquisition module 401 is not rewritable and corresponds to the terminal.
  • the terminal identification code is used to associate with the terminal in hardware; it can be set inside the chip of the terminal when the terminal is produced.
  • the data acquisition module 401 can obtain the operator identification code from the data card of the terminal, or obtain the carrier identification code from the flash memory of the terminal, which is not repeated here.
  • the data card of the terminal may be a SIM, a USIM, or another type of user identification card, which is not limited herein.
  • the hash value obtaining module 402 is configured to perform hashing on the first data by using a preset hash algorithm to obtain a first hash value, where the first data includes a terminal identifier and a carrier identifier obtained by the data acquiring module.
  • the first data in the hash value obtaining module 402 may include the terminal identification code and the operator identification code, and may also include other content such as security data, which is not limited herein.
  • the security data is data that prohibits other users from illegally modifying the tomb, and is used to limit the functionality of the terminal.
  • the hash value obtaining module 402 performs a hash operation process on the first data by using a preset hash algorithm, which may be implemented by setting a code corresponding to the hash algorithm in the terminal, or may be Other ways to achieve, no longer here - repeat.
  • the first detecting module 403 is configured to detect whether the signature is consistent with the first hash value obtained by the hash value obtaining module, and obtain a detection result, where the signature is pre-generated according to the terminal identifier and the initial operator identifier, and the initial operator identifier is generated.
  • the code is pre-generated by the terminal.
  • the signature in the first detection module 403 is pre-generated according to the terminal identification code and the initial operator identification code, and the initial carrier identification code is pre-generated by the terminal.
  • the first detection module 403 can directly detect whether the signature is consistent with the first hash value.
  • the signature is in the ciphertext encrypted by the hash value, the signature needs to be first. Decryption is performed, and then the first detection module 403 detects whether the decrypted result is consistent with the first hash value.
  • the permission determining module 404 is configured to determine the usage right of the terminal according to the detection result obtained by the first detecting module.
  • the rights determination module 404 can include a first determination sub-module and a second determination sub-module.
  • the first determining submodule is configured to: when the detection result obtained by the first detecting module is that the signature is consistent with the first hash value, the terminal has the use permission; that is, the terminal can be used normally according to the detection result; the second determining submodule When the detection result obtained by the first detection module is that the signature is inconsistent with the first hash value, the terminal does not have the use permission; that is, according to the detection result, the terminal runs the error processing program and cannot be used normally.
  • the data management apparatus in this embodiment may further include: a number generation module 405, configured to generate an initial carrier identifier in the flash memory of the terminal according to the network lock requirement of the terminal.
  • the terminal manufacturer can generate an initial carrier identification code in the flash memory of the terminal by the number generation module 405 when the terminal is produced. After the initial operator identification code is generated by the number generation module 405 in the flash memory of the terminal, the terminal manufacturer or user can obtain the modified carrier identification code according to the initial carrier identification code.
  • the signature generation module 406 is configured to generate a signature according to the second data, the signature is rewritable, and the second data includes an initial operator identifier generated by the number generation module and a terminal identifier.
  • the signature in the signature generation module 406 is rewritable, and the second data may include an initial carrier identifier and a terminal identifier, and may include other content such as security data, which is not limited herein.
  • the process of generating a signature by the signature generation module 406 may include performing a hash operation on the second data by using a preset hash algorithm to obtain a second hash value.
  • the hash data may be hashed by a preset hash algorithm to obtain a second hash value, and then the second hash value is encrypted.
  • the ciphertext is the signature.
  • the signature in the first detection module 403 is generated according to the initial operator identification code and the terminal identification code through step 202, correspondingly, the first hash value is obtained by the hash value acquisition module 402 according to the operator.
  • the identification code and the terminal identification code are generated; if the signature in the first detection module 403 is generated by the signature generation module 406 according to the initial carrier identification code, the terminal identification code, and the security data, correspondingly, the first hash value is passed through
  • the hash value acquisition module 402 is generated based on the operator identification code, the terminal identification code, and the security data.
  • the second hash value obtained by the first detecting module 403 is detected by the first detecting module 403.
  • Whether the hash value is consistent is: detecting whether the second hash value is consistent with the first hash value; if the signature in the first detecting module 403 is to hash the second data by using a preset hash algorithm, After the second hash value is obtained, the second hash value is encrypted, and the obtained ciphertext is detected by the first detecting module 403.
  • the process of detecting whether the signature is consistent with the first hash value is: decrypting the signature to obtain the first hash value.
  • the third hash value is detected whether the third hash value is consistent with the first hash value, and the detection result is obtained.
  • the first detecting module 403 includes: a decrypting submodule, configured to decrypt the signature to obtain the first hash value. a three-hash value; a detection sub-module, configured to detect whether the third hash value is consistent with the first hash value, and obtain a detection result.
  • the signature when the public key corresponding to the private key encrypted by the second hash value is the public key in the root certificate, the signature can be directly decrypted by the public key of the root certificate;
  • the public key corresponding to the encrypted private key is the public key of the certificate in the flash memory of the terminal, in order to improve the security of the network communication, the public key of the certificate in the flash memory may be encrypted in advance to obtain the encrypted public key;
  • the process of decrypting the signature may include: the terminal first decrypts the encrypted public key by using the public key in the root certificate to obtain the public key of the certificate in the flash memory; and then the terminal performs the signature on the public key of the certificate in the flash memory. Decrypt.
  • the data management apparatus in this embodiment may further include: a second detecting module 400, configured to detect whether the carrier identifier in the data card of the terminal is consistent with the carrier identifier in the flash memory of the terminal. .
  • the carrier identification code in the flash memory may first detect, by the second detection module 400, whether the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal.
  • the second identification module 400 determines that the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal
  • the operator identification code and the terminal identification code may be acquired by the data acquisition module 401;
  • the terminal can run an error handling program and cannot be used normally.
  • the data obtaining module 401 is specifically configured to acquire the operator identifier of the terminal and the preset terminal identifier when the operator identifier in the data card is consistent with the carrier identifier in the flash.
  • the data management apparatus obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code, and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image.
  • the embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
  • the data management method and apparatus provided by the embodiments of the present invention can be applied to mobile terminals such as mobile phones.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented directly in hardware, a software module executed by a processor, or a combination of both.
  • the software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.

Abstract

The present invention relates to communication technologies, and disclosed are a data management method and device for solving the customer loss problem of the operators caused by the existing data management technology. The method includes: acquiring the operation identification code of a terminal and a preset terminal identification code (101), with the terminal identification code being unchangeable and corresponding to the terminal; performing hash operation on first data by way of a preset hash algorithm to obtain a first hash value (102); detecting whether or not the signature is consistent with the first hash value to obtain a detection result (103); and determining the right to use of the terminal according to the detection result (104). The present invention can be applied in mobile terminals such as mobile phones and so on.

Description

数据管理方法和装置 技术领域  Data management method and device
本发明涉及通信技术, 尤其涉及一种数据管理方法和装置。  The present invention relates to communication technologies, and in particular, to a data management method and apparatus.
背景技术 Background technique
现有技术中安全引导技术(安全 boo t技术)可以实现运营商对终端 的数据管理。安全 boo t技术实现运营商对终端的数据管理的具体过程包 括: 根据终端的锁网需求, 在该终端的闪存中生成初始运营商识别码以及相 应的程序映像; 以及在闪存中根据该初始运营商识别码和程序映像生成签名, 该签名是可改写的; 终端启动时, 通过终端预先设置的哈希算法对该闪存中 的运营商识别码和程序映像进行哈希运算, 得到哈希值; 检测所述签名与该 哈希值是否一致, 如果一致, 说明程序和闪存的初始运营商识别码没有被非 法更改; 根据该检测结果确定终端的使用权限。  In the prior art, the security booting technology (secure boo t technology) can implement operator-to-terminal data management. The specific process of implementing the carrier-to-terminal data management by the secure boo t technology includes: generating an initial carrier identification code and a corresponding program image in the flash memory of the terminal according to the lock network requirement of the terminal; and based on the initial operation in the flash memory The merchant identification code and the program image generate a signature, and the signature is rewritable; when the terminal is started, the carrier identifier and the program image in the flash memory are hashed by a hash algorithm preset by the terminal to obtain a hash value; Detecting whether the signature is consistent with the hash value. If they are consistent, the initial carrier identifier of the program and the flash memory is not illegally changed; and the usage right of the terminal is determined according to the detection result.
釆用上述安全 boo t技术实现运营商对终端的数据管理时,发明人发 现现有技术至少存在如下问题: 非法用户可以使用硬件配置相同的其他 运营商定制的终端的程序映像, 替换本终端的程序映像时难以被检测, 导致运营商的客户流失, 造成运营商的损失。  When the above-mentioned secure boo t technology is used to implement the data management of the operator to the terminal, the inventor finds that the prior art has at least the following problems: The illegal user can use the program image of the terminal of the other operator customized with the same hardware configuration, and replace the terminal of the terminal. When the program image is difficult to be detected, the operator's customer is lost, causing the operator's loss.
发明内容 Summary of the invention
本发明实施例提供一种数据管理方法和装置, 能够检测出非法用户用硬 件配置相同的其他运营商定制的终端的程序映像替换本终端的程序映像。  The embodiment of the present invention provides a data management method and apparatus, which can detect that an illegal user replaces a program image of the terminal with a program image of a terminal customized by another operator having the same hardware configuration.
一方面, 提供了一种数据管理方法, 包括: 获取所述终端的运营商识别 码和预先设置的终端识别码, 所述终端识别码是不可改写且与所述终端—— 对应的; 通过预先设置的哈希算法对第一数据进行哈希运算, 得到第一哈希 值, 所述第一数据包括所述终端识别码和所述运营商识别码; 检测签名与所 述第一哈希值是否一致, 得到检测结果, 所述签名为根据所述终端识别码和 初始运营商识别码预先生成的, 所述初始运营商识别码为所述终端预先生成 的; 根据所述检测结果确定所述终端的使用权限。  In one aspect, a data management method is provided, including: acquiring an operator identifier of the terminal and a preset terminal identifier, where the terminal identifier is unrewritable and corresponding to the terminal; The hash algorithm is configured to perform a hash operation on the first data to obtain a first hash value, where the first data includes the terminal identifier and the operator identifier; and the detected signature and the first hash value If the result is consistent, the detection result is obtained, the signature is pre-generated according to the terminal identification code and the initial operator identification code, and the initial operator identification code is pre-generated by the terminal; The usage rights of the terminal.
另一方面, 提供了一种数据管理装置, 包括:  In another aspect, a data management apparatus is provided, including:
数据获取模块, 用于获取所述终端的运营商识别码和预先设置的终端识 别码, 所述终端识别码是不可改写且与所述终端——对应的; 哈希值获取模块, 用于通过预先设置的哈希算法对第一数据进行哈希运 算, 得到第一哈希值, 所述第一数据包括所述数据获取模块获取的终端识别 码和运营商识别码; a data acquisition module, configured to acquire an operator identification code of the terminal and a preset terminal identification code, where the terminal identification code is not rewritable and corresponds to the terminal; a hash value obtaining module, configured to perform hashing on the first data by using a preset hash algorithm, to obtain a first hash value, where the first data includes a terminal identifier and a carrier acquired by the data acquiring module Identifier;
第一检测模块, 用于检测签名与所述哈希值获取模块获取的第一哈希值 是否一致, 得到检测结果, 所述签名为根据所述终端识别码和初始运营商识 别码预先生成的, 所述初始运营商识别码为所述终端预先生成的;  a first detecting module, configured to detect whether the signature is consistent with the first hash value obtained by the hash value obtaining module, and obtain a detection result, where the signature is pre-generated according to the terminal identifier and the initial carrier identifier The initial carrier identifier is pre-generated by the terminal;
权限确定模块, 用于根据所述第一检测模块得到的检测结果确定所述终 端的使用权限。  The authority determining module is configured to determine the usage right of the terminal according to the detection result obtained by the first detecting module.
本发明实施例提供的数据管理方法和装置, 通过将包括终端识别码和运 营商识别码的进行哈希运算, 得到第一哈希值后; 检测第一哈希值与预先生 成的签名是否一致, 并根据检测结果确定终端的使用权限, 从而实现终端的 数据管理。 由于终端识别码是不可改写的, 因此非法用户难以用其他运营商 定制的终端的签名替换本终端的签名, 用程序映像替换本终端的程序映像可 以被检测出来。本发明实施例解决了现有技术中由于非法用户可以使用硬件 配置相同的其他运营商定制的终端的程序映像,替换本终端的程序映像, 导致运营商的客户流失, 造成运营商的损失的问题。  The data management method and device provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detecting whether the first hash value is consistent with the pre-generated signature And determining the usage rights of the terminal according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image. The embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, causing the operator's customer to be lost and causing the loss of the operator. .
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将 对实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见 地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技 术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得 其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图 1为本发明实施例一提供的数据管理方法的流程图;  1 is a flowchart of a data management method according to Embodiment 1 of the present invention;
图 2为本发明实施例二提供的数据管理方法的流程图;  2 is a flowchart of a data management method according to Embodiment 2 of the present invention;
图 3为本发明实施例三提供的数据管理方法的流程图;  3 is a flowchart of a data management method according to Embodiment 3 of the present invention;
图 4为本发明实施例四提供的数据管理装置的结构示意图一;  4 is a schematic structural diagram 1 of a data management apparatus according to Embodiment 4 of the present invention;
图 5为本发明实施例四提供的数据管理装置的结构示意图二;  FIG. 5 is a schematic structural diagram 2 of a data management apparatus according to Embodiment 4 of the present invention; FIG.
图 6为本发明实施例四提供的数据管理装置的结构示意图三。  FIG. 6 is a schematic structural diagram 3 of a data management apparatus according to Embodiment 4 of the present invention.
具体实施方式  detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案 进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术 人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本 发明保护的范围。 The technical solution in the embodiment of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention. The invention is described in a clear and complete manner, and it is obvious that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了解决现有数据管理导致运营商的客户流失的问题,本发明实施 例提供一种数据管理方法和装置。  In order to solve the problem that the existing data management leads to the loss of the operator's customers, the embodiment of the present invention provides a data management method and apparatus.
步骤 101 , 获取终端的运营商识别码和预先设置的终端识别码。 在本实施例中, 步骤 101 中运营商识别码用于与运营商关联, 包括 公共陆地移动网络 ( Public Land Mobile Network, PLMN ) 识别码; 它 可以是可改写的, 可以通过该运营商识别码与运营商建立关联。 步骤 101中运营商识别码,可以与运营商网络相关;对于不同的运营商网络, 该运营商识别码不同。 其中, 该运营商识别码可以为 PLMN ) 识别码 , 也可以为其他识别码, 在此不再——赘述。  Step 101: Obtain an operator identifier of the terminal and a preset terminal identifier. In this embodiment, the operator identification code in step 101 is used to associate with an operator, including a Public Land Mobile Network (PLMN) identifier; it may be rewritable, and the carrier identifier may be passed. Establish an association with the operator. The operator identification code in step 101 may be related to the operator network; for different carrier networks, the carrier identification code is different. The carrier identification code may be a PLMN identification code or other identification code, and is not repeated here.
在本实施例中,步骤 101中预先设置的终端识别码是不可改写且与 该终端——对应的。 该终端识别码用于在硬件上与终端进行关联; 可以 在生产终端时, 设置在终端的芯片内部。  In this embodiment, the terminal identification code preset in step 101 is not rewritable and corresponds to the terminal. The terminal identification code is used to associate with the terminal in hardware; it can be set inside the chip of the terminal when the terminal is produced.
在本实施例中,通过步骤 101既可以从终端的数据卡中获取运营商 识别码,也可以从终端的闪存中获取运营商识别码,在此不再——赘述。 其中,终端的数据卡,可以是客户识别模块( Subscriber Identity Module , SIM ), 也可以全球用户识别卡 ( Universal Subscriber Identity Module , USIM ), 还可以是其他种类的用户身份识别卡, 在此不作限制。  In this embodiment, the operator identification code may be obtained from the data card of the terminal through the step 101, or the carrier identification code may be obtained from the flash memory of the terminal, and is not described here. The data card of the terminal may be a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), or other types of user identification cards, which are not limited herein. .
步骤 102 , 通过预先设置的哈希算法对第一数据进行哈希运算, 得 到第一哈希值。  Step 102: Perform a hash operation on the first data by using a preset hash algorithm to obtain a first hash value.
在本实施例中, 步骤 102中第一数据, 可以包括终端识别码和运营 商识别码, 还可以包括安全数据等其他内容, 在此不作限制。 其中, 安 全数据为禁止其他用户非法墓改的数据, 用于对终端进行功能性限制。  In this embodiment, the first data in step 102 may include a terminal identifier and an operator identifier, and may also include other content such as security data, which is not limited herein. The security data is data that prohibits other users from illegally modifying the tomb, and is used to perform functional restrictions on the terminal.
在本实施例中,步骤 102中通过预先设置的哈希算法对第一数据进 行哈希运算过程,可以通过在终端中设置哈希算法相应的代码的方式实 现, 也可以为通过其他方式实现, 在此不再——赘述。  In this embodiment, the hashing process of the first data by using a preset hash algorithm in step 102 may be implemented by setting a code corresponding to the hash algorithm in the terminal, or may be implemented by other methods. No longer here - repeat.
步骤 103 , 检测签名与第一哈希值是否一致, 得到检测结果。 在本实施例中,步骤 103中签名为根据终端识别码和初始运营商识 别码预先生成的, 该初始运营商识别码为终端预先生成的。 当签名的形 式为哈希值时,通过步骤 103可以直接检测该签名与第一哈希值是否一 致; 当签名的形式为哈希值加密后的密文时, 需要首先对该签名进行解 密, 再通过步骤 103检测解密的结果与第一哈希值是否一致。 Step 103: Check whether the signature is consistent with the first hash value, and obtain a detection result. In this embodiment, the signature in step 103 is pre-generated according to the terminal identifier and the initial operator identifier, and the initial operator identifier is pre-generated by the terminal. When the signature is in the form of a hash value, step 103 can directly detect whether the signature is consistent with the first hash value. When the signature is in the form of a hash-encrypted ciphertext, the signature needs to be decrypted first. Then, through step 103, it is detected whether the decrypted result is consistent with the first hash value.
步骤 104 , 根据该检测结果确定终端的使用权限。  Step 104: Determine, according to the detection result, the usage right of the terminal.
在本实施例中,当通过步骤 103得到的检测结果为签名与第一哈希 值一致时,终端具有使用权限;根据该检测结果,该终端可以正常使用。 当通过步骤 103得到的检测结果为签名与第一哈希值不一致时,终端不 具有使用权限; 根据检测结果, 终端运行错误处理程序, 不可以正常使 用。  In this embodiment, when the detection result obtained by step 103 is that the signature is consistent with the first hash value, the terminal has the usage right; according to the detection result, the terminal can be used normally. When the detection result obtained in step 103 is that the signature is inconsistent with the first hash value, the terminal does not have the use permission; according to the detection result, the terminal runs the error handler and cannot be used normally.
本发明实施例提供的数据管理方法,通过将包括终端识别码和运营 商识别码的进行哈希运算, 得到第一哈希值后; 检测第一哈希值与预先 生成的签名是否一致, 并根据检测结果确定终端的使用权限, 从而实现 终端的数据管理。 由于终端识别码是不可改写的, 因此非法用户难以用 其他运营商定制的终端的签名替换本终端的签名,用程序映像替换本终端 的程序映像可以被检测出来。 本发明实施例解决了现有技术中由于非法 用户可以使用硬件配置相同的其他运营商定制的终端的程序映像,替换 本终端的程序映像,导致运营商的客户流失,造成运营商的损失的问题。  The data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image. The embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
如图 2所示, 本发明实施例二提供的数据管理方法, 包括: 步骤 201 , 根据终端的锁网需求, 在终端的闪存中生成初始运营商 识别码。  As shown in FIG. 2, the data management method provided in Embodiment 2 of the present invention includes: Step 201: Generate an initial operator identification code in a flash memory of the terminal according to a lock requirement of the terminal.
在本实施例中, 终端制造商可以在生产终端时, 通过步骤 201在终 端的闪存中生成初始运营商识别码。通过步骤 201在终端的闪存中生成 初始运营商识别码后,终端制造商或用户可以根据需要对该初始运营商 识别码, 得到修改后的运营商识别码。  In this embodiment, the terminal manufacturer can generate an initial carrier identification code in the flash memory of the terminal through step 201 when the terminal is produced. After the initial operator identification code is generated in the flash memory of the terminal through step 201, the terminal manufacturer or user can obtain the modified carrier identification code according to the initial carrier identification code.
步骤 202 , 根据第二数据生成签名。  Step 202: Generate a signature according to the second data.
在本实施例中, 步骤 202中签名是可改写的, 第二数据可以包括初 始运营商识别码和终端识别码, 还可以包括安全数据等其他内容, 在此 不作限制。 通过步骤 202生成签名的过程, 可以包括通过预先设置的哈 希算法对第二数据进行哈希运算, 得到的第二哈希值为该签名; 为了提 高签名的可靠性,也可以包括通过预先设置的哈希算法对第二数据进行 哈希运算, 得到第二哈希值后, 对该第二哈希值进行加密, 得到的密文 为该签名。 In this embodiment, the signature is rewritable in the step 202, and the second data may include the initial carrier identifier and the terminal identifier, and may include other content such as security data, which is not limited herein. The process of generating a signature by step 202 may include adopting a preset The hash algorithm performs a hash operation on the second data, and the obtained second hash value is the signature; in order to improve the reliability of the signature, the second data may be hashed by a preset hash algorithm to obtain the first After the second hash value, the second hash value is encrypted, and the obtained ciphertext is the signature.
步骤 203至步骤 204 , 获取终端的运营商识别码和预先设置的终端 识别码, 并通过预先设置的哈希算法对第一数据进行哈希运算。 具体过 程可以参考图 1所示的步骤 101至步骤 102 , 在此不再——赘述。  Step 203 to step 204: Obtain an operator identification code of the terminal and a preset terminal identification code, and perform hash operation on the first data by using a preset hash algorithm. For the specific process, reference may be made to step 101 to step 102 shown in FIG. 1, which is not repeated here.
步骤 205 , 检测签名与第一哈希值是否一致, 得到检测结果。  Step 205: Check whether the signature is consistent with the first hash value, and obtain a detection result.
在本实施例中,如果步骤 205中签名是通过步骤 202根据初始运营 商识别码和终端识别码生成的, 相应的, 第一哈希值是通过步骤 204 根据运营商识别码和终端识别码生成的;如果步骤 205中签名是通过步 骤 202根据初始运营商识别码、终端识别码和安全数据生成的,相应的, 第一哈希值时通过步骤 204根据运营商识另 'J码、终端识别码和安全数据 生成的。  In this embodiment, if the signature is generated in step 205 according to the initial operator identification code and the terminal identification code, correspondingly, the first hash value is generated according to the operator identification code and the terminal identification code through step 204. If the signature is generated in step 205 according to the initial operator identification code, the terminal identification code, and the security data, correspondingly, the first hash value is determined by the operator according to the operator's identification of the 'J code, terminal identification. Code and security data generated.
在本实施例中,如果步骤 205中签名为通过预先设置的哈希算法对 第二数据进行哈希运算, 得到的第二哈希值, 通过步骤 205检测签名与 第一哈希值是否一致的过程为:检测该第二哈希值与第一哈希值是否一 致;如果步骤 205中签名为通过预先设置的哈希算法对第二数据进行哈 希运算, 得到第二哈希值后, 对第二哈希值进行加密, 得到的密文, 通 过步骤 205检测签名与第一哈希值是否一致的过程为:将该签名进行解 密, 得到第三哈希值, 检测该第三哈希值与第一哈希值是否一致, 得到 检测结果。  In this embodiment, if the signature in step 205 is a second hash value obtained by hashing the second data by using a hash algorithm set in advance, it is detected in step 205 whether the signature is consistent with the first hash value. The process is: detecting whether the second hash value is consistent with the first hash value; if the signature in step 205 is to hash the second data by using a preset hash algorithm to obtain the second hash value, The second hash value is encrypted, and the obtained ciphertext is detected by step 205. The process of detecting whether the signature is consistent with the first hash value is: decrypting the signature to obtain a third hash value, and detecting the third hash value. Whether it is consistent with the first hash value, the detection result is obtained.
在本实施例中, 对第二哈希值进行加密的私钥对应的公钥, 为根证 书中的公钥时, 可以直接通过该根证书的公钥对签名进行解密; 对第二 哈希值进行加密的私钥对应的公钥, 为终端的闪存中证书的公钥时, 为 了提高网络通信的安全性, 可以预先对闪存中证书的公钥进行加密, 得 到加密后的公钥; 此时, 对签名进行解密的过程可以包括: 终端首先使 用根证书中的公钥对对加密后的公钥进行解密, 得到闪存中证书的公 钥; 然后终端通过闪存中证书的公钥对签名进行解密。  In this embodiment, when the public key corresponding to the private key encrypted by the second hash value is the public key in the root certificate, the signature can be directly decrypted by the public key of the root certificate; When the public key corresponding to the encrypted private key is the public key of the certificate in the flash memory of the terminal, in order to improve the security of the network communication, the public key of the certificate in the flash memory may be encrypted in advance to obtain the encrypted public key; The process of decrypting the signature may include: the terminal first decrypts the encrypted public key by using the public key in the root certificate to obtain the public key of the certificate in the flash memory; and then the terminal performs the signature on the public key of the certificate in the flash memory. Decrypt.
步骤 206 , 根据检测结果确定终端的使用权限。 具体过程与图 1所 示的步骤 104相似, 在此不再——赘述。 Step 206: Determine, according to the detection result, the usage right of the terminal. The specific process and Figure 1 Step 104 is similar, and is not repeated here.
本发明实施例提供的数据管理方法,通过将包括终端识别码和运营 商识别码的进行哈希运算, 得到第一哈希值后; 检测第一哈希值与预先 生成的签名是否一致, 并根据检测结果确定终端的使用权限, 从而实现 终端的数据管理。 由于终端识别码是不可改写的, 因此非法用户难以用 其他运营商定制的终端的签名替换本终端的签名,用程序映像替换本终端 的程序映像可以被检测出来。 本发明实施例解决了现有技术中由于非法 用户可以使用硬件配置相同的其他运营商定制的终端的程序映像,替换 本终端的程序映像,导致运营商的客户流失,造成运营商的损失的问题。  The data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image. The embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
如图 3所示, 本发明实施例三提供的数据管理方法, 包括: 步骤 301 , 检测终端的数据卡中运营商识别码与终端的闪存中运营 商识别码是否一致。  As shown in FIG. 3, the data management method provided in Embodiment 3 of the present invention includes: Step 301: Check whether the operator identification code in the data card of the terminal is consistent with the operator identification code in the flash memory of the terminal.
在本实施例中,为了防止用户修改数据卡中运营商识别码或终端的 闪存中运营商识别码,可以首先通过步骤 301检测终端的数据卡中运营 商识别码与终端的闪存中运营商识别码是否一致。当通过步骤 301确定 终端的数据卡中运营商识别码与终端的闪存中运营商识别码一致时,可 以通过步骤 302获取运营商识别码和终端识别码; 可选的, 当通过步骤 301 确定终端的数据卡中运营商识别码与终端的闪存中运营商识别码 不一致时, 终端可以运行错误处理程序, 不可以正常使用。  In this embodiment, in order to prevent the user from modifying the operator identification code in the data card or the carrier identification code in the flash memory of the terminal, the operator identification code in the data card of the terminal and the operator identification in the flash memory of the terminal may be first detected in step 301. Whether the codes are consistent. When it is determined in step 301 that the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal, the operator identification code and the terminal identification code may be obtained through step 302. Optionally, when the terminal is determined through step 301 When the carrier ID in the data card is inconsistent with the carrier ID in the flash memory of the terminal, the terminal can run an error handler and cannot be used normally.
步骤 302 , 数据卡中运营商识别码与闪存中运营商识别码一致时, 获取终端的运营商识别码和预先设置的终端识别码。 具体过程与图 1 所示的步骤 101相似, 在此不再——赘述。  Step 302: When the carrier identifier in the data card is consistent with the carrier identifier in the flash memory, obtain the operator identifier of the terminal and the terminal identifier set in advance. The specific process is similar to step 101 shown in Figure 1, and is not repeated here.
步骤 303至步骤 305 , 对第一数据进行哈希运算, 得到第一哈希值 后, 检测签名与第一哈希值是否一致, 并根据检测结果确定终端的使用 权限。 具体过程与图 1所示的步骤 102至步骤 104相似, 在此不再—— 赘述。  Step 303 to step 305, performing a hash operation on the first data, and after obtaining the first hash value, detecting whether the signature is consistent with the first hash value, and determining the usage right of the terminal according to the detection result. The specific process is similar to step 102 to step 104 shown in FIG. 1, and is not repeated here.
本发明实施例提供的数据管理方法,通过将包括终端识别码和运营 商识别码的进行哈希运算, 得到第一哈希值后; 检测第一哈希值与预先 生成的签名是否一致, 并根据检测结果确定终端的使用权限, 从而实现 终端的数据管理。 由于终端识别码是不可改写的, 因此非法用户难以用 其他运营商定制的终端的签名替换本终端的签名,用程序映像替换本终端 的程序映像可以被检测出来。 本发明实施例解决了现有技术中由于非法 用户可以使用硬件配置相同的其他运营商定制的终端的程序映像,替换 本终端的程序映像,导致运营商的客户流失,造成运营商的损失的问题。 The data management method provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code; and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for illegal users to use The signature of the terminal customized by other operators replaces the signature of the terminal, and the program image of the terminal is replaced with the program image can be detected. The embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
如图 4所示, 本发明实施例四提供的数据管理装置, 包括: 数据获取模块 401 , 用于获取终端的运营商识别码和预先设置的终 端识别码, 终端识别码是不可改写且与终端——对应的。  As shown in FIG. 4, the data management apparatus provided in Embodiment 4 of the present invention includes: a data acquisition module 401, configured to acquire a carrier identifier of a terminal and a preset terminal identifier, where the terminal identifier is not rewritable and is connected to the terminal. --corresponding.
在本实施例中,数据获取模块 401 中运营商识别码用于与运营商关 联, 包括 PLMN识别码; 它可以是可改写的, 可以通过该运营商识别 码与运营商建立关联。 数据获取模块 401 中运营商识别码, 可以与运营 商网络相关; 对于不同的运营商网络, 该运营商识别码不同。 其中, 该 运营商识别码可以为 PLMN识别码, 也可以为其他识别码, 在此不再 ' "赞述。  In this embodiment, the operator identification code in the data acquisition module 401 is used to associate with the operator, including the PLMN identification code; it may be rewritable, and the operator identification code may be used to establish an association with the operator. The operator identification code in the data acquisition module 401 can be related to the operator network; the carrier identifier is different for different carrier networks. The carrier identification code may be a PLMN identification code or other identification code, and is no longer referred to herein.
在本实施例中,数据获取模块 401 中预先设置的终端识别码是不可 改写且与该终端——对应的。该终端识别码用于在硬件上与终端进行关 联; 可以在生产终端时, 设置在终端的芯片内部。  In this embodiment, the terminal identification code preset in the data acquisition module 401 is not rewritable and corresponds to the terminal. The terminal identification code is used to associate with the terminal in hardware; it can be set inside the chip of the terminal when the terminal is produced.
在本实施例中,通过数据获取模块 401既可以从终端的数据卡中获 取运营商识别码, 也可以从终端的闪存中获取运营商识别码, 在此不再 ——赘述。 其中, 终端的数据卡, 可以是 SIM, 也可以 USIM, 还可以 是其他种类的用户身份识别卡, 在此不作限制。  In this embodiment, the data acquisition module 401 can obtain the operator identification code from the data card of the terminal, or obtain the carrier identification code from the flash memory of the terminal, which is not repeated here. The data card of the terminal may be a SIM, a USIM, or another type of user identification card, which is not limited herein.
哈希值获取模块 402 , 用于通过预先设置的哈希算法对第一数据进 行哈希运算, 得到第一哈希值, 第一数据包括数据获取模块获取的终端 识别码和运营商识别码。  The hash value obtaining module 402 is configured to perform hashing on the first data by using a preset hash algorithm to obtain a first hash value, where the first data includes a terminal identifier and a carrier identifier obtained by the data acquiring module.
在本实施例中, 哈希值获取模块 402中第一数据, 可以包括终端识 别码和运营商识别码,还可以包括安全数据等其他内容,在此不作限制。 其中, 安全数据为禁止其他用户非法墓改的数据, 用于对终端进行功能 性限制。  In this embodiment, the first data in the hash value obtaining module 402 may include the terminal identification code and the operator identification code, and may also include other content such as security data, which is not limited herein. The security data is data that prohibits other users from illegally modifying the tomb, and is used to limit the functionality of the terminal.
在本实施例中,哈希值获取模块 402中通过预先设置的哈希算法对 第一数据进行哈希运算过程,可以通过在终端中设置哈希算法相应的代 码的方式实现, 也可以为通过其他方式实现, 在此不再——赘述。 第一检测模块 403 , 用于检测签名与哈希值获取模块获取的第一哈 希值是否一致, 得到检测结果, 签名为根据终端识别码和初始运营商识 别码预先生成的, 初始运营商识别码为终端预先生成的。 In this embodiment, the hash value obtaining module 402 performs a hash operation process on the first data by using a preset hash algorithm, which may be implemented by setting a code corresponding to the hash algorithm in the terminal, or may be Other ways to achieve, no longer here - repeat. The first detecting module 403 is configured to detect whether the signature is consistent with the first hash value obtained by the hash value obtaining module, and obtain a detection result, where the signature is pre-generated according to the terminal identifier and the initial operator identifier, and the initial operator identifier is generated. The code is pre-generated by the terminal.
在本实施例中,第一检测模块 403中签名为根据终端识别码和初始 运营商识别码预先生成的, 该初始运营商识别码为终端预先生成的。 当 签名的形式为哈希值时,通过第一检测模块 403可以直接检测该签名与 第一哈希值是否一致; 当签名的形式为哈希值加密后的密文时, 需要首 先对该签名进行解密,再通过第一检测模块 403检测解密的结果与第一 哈希值是否一致。  In this embodiment, the signature in the first detection module 403 is pre-generated according to the terminal identification code and the initial operator identification code, and the initial carrier identification code is pre-generated by the terminal. When the signature is in the form of a hash value, the first detection module 403 can directly detect whether the signature is consistent with the first hash value. When the signature is in the ciphertext encrypted by the hash value, the signature needs to be first. Decryption is performed, and then the first detection module 403 detects whether the decrypted result is consistent with the first hash value.
权限确定模块 404 , 用于根据第一检测模块得到的检测结果确定终 端的使用权限。  The permission determining module 404 is configured to determine the usage right of the terminal according to the detection result obtained by the first detecting module.
在本实施例中,权限确定模块 404可以包括第一确定子模块和第二 确定子模块。该第一确定子模块用于第一检测模块得到的检测结果为签 名与第一哈希值一致时, 终端具有使用权限; 即根据该检测结果, 该终 端可以正常使用;该第二确定子模块用于第一检测模块得到的检测结果 为签名与第一哈希值不一致时,终端不具有使用权限;即根据检测结果, 终端运行错误处理程序, 不可以正常使用。  In this embodiment, the rights determination module 404 can include a first determination sub-module and a second determination sub-module. The first determining submodule is configured to: when the detection result obtained by the first detecting module is that the signature is consistent with the first hash value, the terminal has the use permission; that is, the terminal can be used normally according to the detection result; the second determining submodule When the detection result obtained by the first detection module is that the signature is inconsistent with the first hash value, the terminal does not have the use permission; that is, according to the detection result, the terminal runs the error processing program and cannot be used normally.
进一步的, 如图 5所示, 本实施例中数据管理装置, 还可以包括: 号码生成模块 405 , 用于根据终端的锁网需求, 在终端的闪存中生 成初始运营商识别码。  Further, as shown in FIG. 5, the data management apparatus in this embodiment may further include: a number generation module 405, configured to generate an initial carrier identifier in the flash memory of the terminal according to the network lock requirement of the terminal.
在本实施例中, 终端制造商可以在生产终端时, 通过号码生成模块 405在终端的闪存中生成初始运营商识别码。 通过号码生成模块 405在 终端的闪存中生成初始运营商识别码后,终端制造商或用户可以根据需 要对该初始运营商识别码, 得到修改后的运营商识别码。  In this embodiment, the terminal manufacturer can generate an initial carrier identification code in the flash memory of the terminal by the number generation module 405 when the terminal is produced. After the initial operator identification code is generated by the number generation module 405 in the flash memory of the terminal, the terminal manufacturer or user can obtain the modified carrier identification code according to the initial carrier identification code.
签名生成模块 406 ,用于根据第二数据生成签名,签名是可改写的, 第二数据包括号码生成模块生成的初始运营商识别码和终端识别码。  The signature generation module 406 is configured to generate a signature according to the second data, the signature is rewritable, and the second data includes an initial operator identifier generated by the number generation module and a terminal identifier.
在本实施例中, 签名生成模块 406中签名是可改写的, 第二数据可 以包括初始运营商识别码和终端识别码,还可以包括安全数据等其他内 容, 在此不作限制。 通过签名生成模块 406生成签名的过程, 可以包括 通过预先设置的哈希算法对第二数据进行哈希运算,得到的第二哈希值 为该签名; 为了提高签名的可靠性, 也可以包括通过预先设置的哈希算 法对第二数据进行哈希运算, 得到第二哈希值后, 对该第二哈希值进行 加密, 得到的密文为该签名。 In this embodiment, the signature in the signature generation module 406 is rewritable, and the second data may include an initial carrier identifier and a terminal identifier, and may include other content such as security data, which is not limited herein. The process of generating a signature by the signature generation module 406 may include performing a hash operation on the second data by using a preset hash algorithm to obtain a second hash value. For the signature, in order to improve the reliability of the signature, the hash data may be hashed by a preset hash algorithm to obtain a second hash value, and then the second hash value is encrypted. The ciphertext is the signature.
在本实施例中,如果第一检测模块 403中签名是通过步骤 202根据 初始运营商识别码和终端识别码生成的, 相应的, 第一哈希值是通过哈 希值获取模块 402根据运营商识别码和终端识别码生成的;如果第一检 测模块 403中签名是通过签名生成模块 406根据初始运营商识别码、终 端识别码和安全数据生成的, 相应的, 第一哈希值时通过哈希值获取模 块 402根据运营商识别码、 终端识别码和安全数据生成的。  In this embodiment, if the signature in the first detection module 403 is generated according to the initial operator identification code and the terminal identification code through step 202, correspondingly, the first hash value is obtained by the hash value acquisition module 402 according to the operator. The identification code and the terminal identification code are generated; if the signature in the first detection module 403 is generated by the signature generation module 406 according to the initial carrier identification code, the terminal identification code, and the security data, correspondingly, the first hash value is passed through The hash value acquisition module 402 is generated based on the operator identification code, the terminal identification code, and the security data.
在本实施例中,如果第一检测模块 403中签名为通过预先设置的哈 希算法对第二数据进行哈希运算, 得到的第二哈希值, 通过第一检测模 块 403检测签名与第一哈希值是否一致的过程为:检测该第二哈希值与 第一哈希值是否一致;如果第一检测模块 403中签名为通过预先设置的 哈希算法对第二数据进行哈希运算, 得到第二哈希值后, 对第二哈希值 进行加密, 得到的密文, 通过第一检测模块 403检测签名与第一哈希值 是否一致的过程为: 将该签名进行解密, 得到第三哈希值, 检测该第三 哈希值与第一哈希值是否一致, 得到检测结果; 此时, 该第一检测模块 403 , 包括: 解密子模块, 用于将签名进行解密, 得到第三哈希值; 检 测子模块,用于检测第三哈希值与第一哈希值是否一致,得到检测结果。  In this embodiment, if the signature in the first detecting module 403 is a hashing operation on the second data by using a hash algorithm set in advance, the second hash value obtained by the first detecting module 403 is detected by the first detecting module 403. Whether the hash value is consistent is: detecting whether the second hash value is consistent with the first hash value; if the signature in the first detecting module 403 is to hash the second data by using a preset hash algorithm, After the second hash value is obtained, the second hash value is encrypted, and the obtained ciphertext is detected by the first detecting module 403. The process of detecting whether the signature is consistent with the first hash value is: decrypting the signature to obtain the first hash value. The third hash value is detected whether the third hash value is consistent with the first hash value, and the detection result is obtained. At this time, the first detecting module 403 includes: a decrypting submodule, configured to decrypt the signature to obtain the first hash value. a three-hash value; a detection sub-module, configured to detect whether the third hash value is consistent with the first hash value, and obtain a detection result.
在本实施例中, 对第二哈希值进行加密的私钥对应的公钥, 为根证 书中的公钥时, 可以直接通过该根证书的公钥对签名进行解密; 对第二 哈希值进行加密的私钥对应的公钥, 为终端的闪存中证书的公钥时, 为 了提高网络通信的安全性, 可以预先对闪存中证书的公钥进行加密, 得 到加密后的公钥; 此时, 对签名进行解密的过程可以包括: 终端首先使 用根证书中的公钥对对加密后的公钥进行解密, 得到闪存中证书的公 钥; 然后终端通过闪存中证书的公钥对签名进行解密。  In this embodiment, when the public key corresponding to the private key encrypted by the second hash value is the public key in the root certificate, the signature can be directly decrypted by the public key of the root certificate; When the public key corresponding to the encrypted private key is the public key of the certificate in the flash memory of the terminal, in order to improve the security of the network communication, the public key of the certificate in the flash memory may be encrypted in advance to obtain the encrypted public key; The process of decrypting the signature may include: the terminal first decrypts the encrypted public key by using the public key in the root certificate to obtain the public key of the certificate in the flash memory; and then the terminal performs the signature on the public key of the certificate in the flash memory. Decrypt.
进一步的, 如图 6所示, 本实施例中数据管理装置, 还可以包括: 第二检测模块 400 , 用于检测终端的数据卡中运营商识别码与终端 的闪存中运营商识别码是否一致。  Further, as shown in FIG. 6, the data management apparatus in this embodiment may further include: a second detecting module 400, configured to detect whether the carrier identifier in the data card of the terminal is consistent with the carrier identifier in the flash memory of the terminal. .
在本实施例中,为了防止用户修改数据卡中运营商识别码或终端的 闪存中运营商识别码,可以首先通过第二检测模块 400检测终端的数据 卡中运营商识别码与终端的闪存中运营商识别码是否一致。当通过第二 检测模块 400 确定终端的数据卡中运营商识别码与终端的闪存中运营 商识别码一致时,可以通过数据获取模块 401获取运营商识别码和终端 识别码; 可选的, 当通过第二检测模块 400确定终端的数据卡中运营商 识别码与终端的闪存中运营商识别码不一致时,终端可以运行错误处理 程序, 不可以正常使用。 In this embodiment, in order to prevent the user from modifying the carrier identification code or the terminal in the data card The carrier identification code in the flash memory may first detect, by the second detection module 400, whether the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal. When the second identification module 400 determines that the operator identification code in the data card of the terminal is consistent with the carrier identification code in the flash memory of the terminal, the operator identification code and the terminal identification code may be acquired by the data acquisition module 401; When the second detection module 400 determines that the operator identification code in the data card of the terminal is inconsistent with the carrier identification code in the flash memory of the terminal, the terminal can run an error handling program and cannot be used normally.
此时, 该数据获取模块 401 , 具体用于数据卡中运营商识别码与闪 存中运营商识别码一致时,获取终端的运营商识别码和预先设置的终端 识别码。  At this time, the data obtaining module 401 is specifically configured to acquire the operator identifier of the terminal and the preset terminal identifier when the operator identifier in the data card is consistent with the carrier identifier in the flash.
本发明实施例提供的数据管理装置,通过将包括终端识别码和运营 商识别码的进行哈希运算, 得到第一哈希值后; 检测第一哈希值与预先 生成的签名是否一致, 并根据检测结果确定终端的使用权限, 从而实现 终端的数据管理。 由于终端识别码是不可改写的, 因此非法用户难以用 其他运营商定制的终端的签名替换本终端的签名,用程序映像替换本终端 的程序映像可以被检测出来。 本发明实施例解决了现有技术中由于非法 用户可以使用硬件配置相同的其他运营商定制的终端的程序映像,替换 本终端的程序映像,导致运营商的客户流失,造成运营商的损失的问题。  The data management apparatus provided by the embodiment of the present invention obtains the first hash value by performing a hash operation including the terminal identification code and the operator identification code, and detects whether the first hash value is consistent with the pre-generated signature, and The usage right of the terminal is determined according to the detection result, thereby realizing data management of the terminal. Since the terminal identification code is not rewritable, it is difficult for an illegal user to replace the signature of the terminal with the signature of the terminal customized by another operator, and the program image of the terminal can be detected by replacing the program image with the program image. The embodiment of the present invention solves the problem that the illegal user can use the program image of the terminal customized by other operators with the same hardware configuration in the prior art, and replaces the program image of the terminal, resulting in loss of the operator's customer and causing loss of the operator. .
本发明实施例提供的数据管理方法和装置,可以应用在手机等移动 终端中。  The data management method and apparatus provided by the embodiments of the present invention can be applied to mobile terminals such as mobile phones.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用 硬件、 处理器执行的软件模块, 或者二者的结合来实施。 软件模块可以 置于随机存储器( RAM )、 内存、 只读存储器(ROM )、 电可编程 ROM、 电可擦除可编程 ROM、 寄存器、 硬盘、 可移动磁盘、 CD-ROM、 或技 术领域内所公知的任意其它形式的存储介质中。  The steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented directly in hardware, a software module executed by a processor, or a combination of both. The software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不 局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围 内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应所述以权利要求的保护范围为准。  The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利 要 求 书 Claim
1、 一种数据管理方法, 其特征在于, 包括:  A data management method, characterized in that it comprises:
获取所述终端的运营商识别码和预先设置的终端识别码, 所述终端识别码 是不可改写且与所述终端——对应的;  Acquiring an operator identification code of the terminal and a preset terminal identification code, where the terminal identification code is not rewritable and corresponds to the terminal;
通过预先设置的哈希算法对第一数据进行哈希运算, 得到第一哈希值, 所 述第一数据包括所述终端识别码和所述运营商识别码;  Performing a hash operation on the first data by using a hash algorithm that is preset to obtain a first hash value, where the first data includes the terminal identifier and the carrier identifier;
检测签名与所述第一哈希值是否一致, 得到检测结果, 所述签名为根据所 述终端识别码和初始运营商识别码预先生成的, 所述初始运营商识别码为所述 终端预先生成的;  Detecting whether the signature is consistent with the first hash value, and obtaining a detection result, where the signature is pre-generated according to the terminal identifier and the initial operator identifier, and the initial operator identifier is pre-generated by the terminal. of;
根据所述检测结果确定所述终端的使用权限。  Determining the usage right of the terminal according to the detection result.
2、 根据权利要求 1所述的数据管理方法, 其特征在于, 在所述获取所述终 端的运营商识别码和预先设置的终端识别码之前, 所述方法还包括:  The data management method according to claim 1, wherein before the acquiring the operator identification code of the terminal and the preset terminal identification code, the method further includes:
根据所述终端的锁网需求, 在所述终端的闪存中生成所述初始运营商识别 码;  Generating the initial carrier identification code in a flash memory of the terminal according to a lock network requirement of the terminal;
根据第二数据生成所述签名, 所述签名是可改写的, 所述第二数据包括所 述初始运营商识别码和所述终端识别码。  Generating the signature according to the second data, the signature is rewritable, and the second data includes the initial operator identification code and the terminal identification code.
3、 根据权利要求 2所述的数据管理方法, 其特征在于,  3. The data management method according to claim 2, wherein
所述签名为: 通过所述预先设置的哈希算法对第二数据进行哈希运算, 得 到的所述第二哈希值; 或者  The signature is: the second hash value obtained by hashing the second data by the preset hash algorithm; or
所述签名为: 通过所述预先设置的哈希算法对第二数据进行哈希运算, 得 到所述第二哈希值后, 对所述第二哈希值进行加密, 得到的密文。  The signature is: a ciphertext obtained by performing a hash operation on the second data by using the preset hash algorithm to obtain the second hash value, and encrypting the second hash value.
4、 根据权利要求 1所述的数据管理方法, 其特征在于, 在所述获取所述终 端的运营商识别码和预先设置的终端识别码之前, 所述方法还包括:  The data management method according to claim 1, wherein before the acquiring the operator identification code of the terminal and the preset terminal identification code, the method further includes:
检测所述终端的数据卡中运营商识别码与所述终端的闪存中运营商识别码 是否一致;  Detecting whether the operator identification code in the data card of the terminal is consistent with the carrier identifier in the flash memory of the terminal;
所述获取所述终端的运营商识别码和预先设置的终端识别码具体为: 所述 数据卡中运营商识别码与所述闪存中运营商识别码一致时, 获取所述终端的运 营商识别码和预先设置的终端识别码。  The obtaining the operator identification code of the terminal and the preset terminal identification code is specifically: when the operator identification code in the data card is consistent with the operator identification code in the flash memory, acquiring the operator identification of the terminal The code and the preset terminal identification code.
5、 根据权利要求 1所述的数据管理方法, 其特征在于, 所述检测签名与所 述第一哈希值是否一致, 包括: 将所述签名进行解密, 得到第三哈希值; The data management method according to claim 1, wherein the detecting signature is consistent with the first hash value, and the method includes: Decrypting the signature to obtain a third hash value;
检测所述第三哈希值与所述第一哈希值是否一致。  Detecting whether the third hash value is consistent with the first hash value.
6、 根据权利要求 1所述的数据管理方法, 其特征在于,  6. The data management method according to claim 1, wherein:
所述终端识别码用于在硬件上与所述终端进行关联;  The terminal identifier is used to associate with the terminal in hardware;
所述运营商识别码用于与运营商关联, 包括公共陆地移动网络 PLMN识别 码。  The carrier identification code is used to associate with an operator, including a public land mobile network PLMN identification code.
7、 根据权利要求 1所述的数据管理方法, 其特征在于, 所述根据所述检测 结果确定所述终端的使用权限, 包括:  The data management method according to claim 1, wherein the determining the usage right of the terminal according to the detection result comprises:
所述检测结果为所述签名与所述第一哈希值一致时 , 所述终端具有使用权 限;  When the detection result is that the signature is consistent with the first hash value, the terminal has a usage right;
所述检测结果为所述签名与所述第一哈希值不一致时 , 所述终端不具有使 用权限。  If the detection result is that the signature does not match the first hash value, the terminal does not have a usage right.
8、 根据权利要求 1至 7中任意一项所述的数据管理方法, 其特征在于, 所 述第一数据还包括: 安全数据, 所述第二数据还包括: 安全数据, 所述安全数 据为禁止其他用户非法墓改的数据, 用于对所述终端进行功能性限制。  The data management method according to any one of claims 1 to 7, wherein the first data further comprises: security data, the second data further comprising: security data, wherein the security data is Data for illegal tombs modification by other users is prohibited, and is used to perform functional restrictions on the terminal.
9、 一种数据管理装置, 其特征在于, 包括:  9. A data management device, comprising:
数据获取模块, 用于获取所述终端的运营商识别码和预先设置的终端识别 码, 所述终端识别码是不可改写且与所述终端——对应的;  a data acquisition module, configured to acquire an operator identification code of the terminal and a preset terminal identification code, where the terminal identification code is not rewritable and corresponds to the terminal;
哈希值获取模块, 用于通过预先设置的哈希算法对第一数据进行哈希运算, 得到第一哈希值, 所述第一数据包括所述数据获取模块获取的终端识别码和运 营商识别码;  a hash value obtaining module, configured to perform hashing on the first data by using a preset hash algorithm, to obtain a first hash value, where the first data includes a terminal identifier and a carrier acquired by the data acquiring module Identifier;
第一检测模块, 用于检测签名与所述哈希值获取模块获取的第一哈希值是 否一致, 得到检测结果, 所述签名为根据所述终端识别码和初始运营商识别码 预先生成的, 所述初始运营商识别码为所述终端预先生成的;  a first detecting module, configured to detect whether the signature is consistent with the first hash value obtained by the hash value obtaining module, and obtain a detection result, where the signature is pre-generated according to the terminal identifier and the initial carrier identifier The initial carrier identifier is pre-generated by the terminal;
权限确定模块, 用于根据所述第一检测模块得到的检测结果确定所述终端 的使用权限。  The authority determining module is configured to determine the usage right of the terminal according to the detection result obtained by the first detecting module.
10、 根据权利要求 9所述的数据管理装置, 其特征在于, 还包括: 号码生成模块, 用于根据所述终端的锁网需求, 在所述终端的闪存中生成 所述初始运营商识别码;  The data management apparatus according to claim 9, further comprising: a number generating module, configured to generate the initial carrier identifier in a flash memory of the terminal according to a lock requirement of the terminal ;
签名生成模块, 用于根据第二数据生成所述签名, 所述签名是可改写的, 所述第二数据包括所述号码生成模块生成的初始运营商识别码和所述终端识别 码。 a signature generating module, configured to generate the signature according to the second data, where the signature is rewritable, The second data includes an initial operator identification code generated by the number generation module and the terminal identification code.
11、 根据权利要求 9所述的数据管理装置, 其特征在于, 还包括: 第二检测模块, 用于检测所述终端的数据卡中运营商识别码与所述终端的 闪存中运营商识别码是否一致;  The data management device according to claim 9, further comprising: a second detecting module, configured to detect an operator identification code in the data card of the terminal and an operator identification code in the flash memory of the terminal Consistent;
所述数据获取模块, 具体用于所述数据卡中运营商识别码与所述闪存中运 营商识别码一致时, 获取所述终端的运营商识别码和预先设置的终端识别码。  And the data obtaining module is configured to obtain an operator identifier of the terminal and a preset terminal identifier when the operator identifier in the data card is consistent with the operator identifier in the flash memory.
12、 根据权利要求 9 所述的数据管理装置, 其特征在于, 所述第一检测模 块, 包括:  The data management device according to claim 9, wherein the first detection module comprises:
解密子模块, 用于将所述签名进行解密, 得到第三哈希值;  a decryption submodule, configured to decrypt the signature to obtain a third hash value;
检测子模块, 用于检测所述第三哈希值与所述第一哈希值是否一致, 得到 所述检测结果。  And a detecting submodule, configured to detect whether the third hash value is consistent with the first hash value, to obtain the detection result.
13、 根据权利要求 9所述的数据管理装置, 其特征在于,  13. The data management device according to claim 9, wherein:
所述终端识别码用于在硬件上与所述终端进行关联;  The terminal identifier is used to associate with the terminal in hardware;
所述运营商识别码用于与所述运营商关联, 包括公共陆地移动网络 PLMN 识别码。  The carrier identification code is used to associate with the operator, including a public land mobile network PLMN identity.
14、 根据权利要求 9 所述的数据管理装置, 其特征在于, 所述权限确定模 块, 包括:  The data management apparatus according to claim 9, wherein the authority determining module comprises:
第一确定子模块, 用于所述第一检测模块得到的检测结果为所述签名与所 述第一哈希值一致时, 所述终端具有使用权限;  a first determining submodule, where the detection result obtained by the first detecting module is that the signature is consistent with the first hash value, the terminal has a usage right;
第二确定子模块, 用于所述第一检测模块得到的检测结果为所述签名与所 述第一哈希值不一致时, 所述终端不具有使用权限。  a second determining submodule, configured to: when the detection result obtained by the first detecting module is that the signature is inconsistent with the first hash value, the terminal does not have a usage right.
15、 根据权利要求 9至 14中任意一项所述的数据管理装置, 其特征在于, 所述第一数据还包括: 安全数据, 所述第二数据还包括: 安全数据, 所述安全 数据为禁止其他用户非法墓改的数据, 用于对所述终端进行功能性限制。  The data management device according to any one of claims 9 to 14, wherein the first data further comprises: security data, the second data further comprising: security data, wherein the security data is Data for illegal tombs modification by other users is prohibited, and is used to perform functional restrictions on the terminal.
PCT/CN2011/077971 2011-08-03 2011-08-03 Data management method and device WO2012159366A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/CN2011/077971 WO2012159366A1 (en) 2011-08-03 2011-08-03 Data management method and device
CN2011800016409A CN103098502A (en) 2011-08-03 2011-08-03 Data management method and device
US14/145,455 US20140115697A1 (en) 2011-08-03 2013-12-31 Data Management Method and Apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/077971 WO2012159366A1 (en) 2011-08-03 2011-08-03 Data management method and device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/145,455 Continuation US20140115697A1 (en) 2011-08-03 2013-12-31 Data Management Method and Apparatus

Publications (1)

Publication Number Publication Date
WO2012159366A1 true WO2012159366A1 (en) 2012-11-29

Family

ID=47216588

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/077971 WO2012159366A1 (en) 2011-08-03 2011-08-03 Data management method and device

Country Status (3)

Country Link
US (1) US20140115697A1 (en)
CN (1) CN103098502A (en)
WO (1) WO2012159366A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112184444B (en) * 2020-09-29 2023-08-18 平安科技(深圳)有限公司 Method, device, equipment and medium for processing information based on characteristics of information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1256002C (en) * 2000-03-30 2006-05-10 诺基亚公司 Subscriber authentication
CN101018125A (en) * 2007-03-02 2007-08-15 中兴通讯股份有限公司 Radio terminal security network and card locking method based on the ellipse curve public key cipher
CN101437224A (en) * 2008-12-22 2009-05-20 中兴通讯股份有限公司 Method for updating mobile terminal software and mobile terminal
WO2010022826A1 (en) * 2008-08-29 2010-03-04 Nec Europe Ltd Process for providing network access for a user via a network provider to a service provider
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7389426B2 (en) * 2005-11-29 2008-06-17 Research In Motion Limited Mobile software terminal identifier
KR100726674B1 (en) * 2006-06-30 2007-06-11 엘지전자 주식회사 Mobile communication terminal having a function of registration validation data and validation data registration method thereof
US7929959B2 (en) * 2007-09-01 2011-04-19 Apple Inc. Service provider activation
US8364978B2 (en) * 2007-11-26 2013-01-29 Koolspan, Inc. System for and method of auto-registration with cryptographic modules
CN101324914B (en) * 2008-05-19 2010-06-23 华为终端有限公司 Method and device for preventing piracy
KR100985397B1 (en) * 2008-06-30 2010-10-05 삼성전자주식회사 Apparatus and method for discriminating of valid mobile subscriber identity in mobile communication terminal
EP2259545A1 (en) * 2009-06-05 2010-12-08 Gemalto SA Method for calculating a first identifier of a secured element of a mobile terminal from a second identifier of this secured element
US8996851B2 (en) * 2010-08-10 2015-03-31 Sandisk Il Ltd. Host device and method for securely booting the host device with operating system code loaded from a storage device
US8862161B2 (en) * 2010-10-12 2014-10-14 Qualcomm Incorporated Method and apparatus for efficient idle operation in a dual-SIM CDMA 1X mobile station

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1256002C (en) * 2000-03-30 2006-05-10 诺基亚公司 Subscriber authentication
CN101018125A (en) * 2007-03-02 2007-08-15 中兴通讯股份有限公司 Radio terminal security network and card locking method based on the ellipse curve public key cipher
WO2010022826A1 (en) * 2008-08-29 2010-03-04 Nec Europe Ltd Process for providing network access for a user via a network provider to a service provider
CN101437224A (en) * 2008-12-22 2009-05-20 中兴通讯股份有限公司 Method for updating mobile terminal software and mobile terminal
CN101951603A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Access control method and system for wireless local area network

Also Published As

Publication number Publication date
US20140115697A1 (en) 2014-04-24
CN103098502A (en) 2013-05-08

Similar Documents

Publication Publication Date Title
KR102307665B1 (en) identity authentication
TWI416932B (en) Device bound flashing/booting for cloning prevention
WO2018050081A1 (en) Device identity authentication method and apparatus, electric device, and storage medium
US9009463B2 (en) Secure delivery of trust credentials
JP7277270B2 (en) Personalization of Integrated Circuits Generated with Embedded Root of Trust Secrets
CN110688660B (en) Method and device for safely starting terminal and storage medium
WO2017202025A1 (en) Terminal file encryption method, terminal file decryption method, and terminal
US9461995B2 (en) Terminal, network locking and network unlocking method for same, and storage medium
WO2011116555A1 (en) Method and system for automatically logging in client
CN109495268B (en) Two-dimensional code authentication method and device and computer readable storage medium
FR3053203A1 (en) TECHNIQUE FOR DOWNLOADING A PROFILE OF ACCESS TO A NETWORK
WO2014169610A1 (en) Data encryption and decryption method and device, and protection system of mobile terminal
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
JP2014509808A (en) Mobile terminal encryption method, hardware encryption device, and mobile terminal
WO2019109640A1 (en) Method and device for locking sim card
GB2556638A (en) Protecting usage of key store content
JP2012191270A (en) Authentication system, terminal apparatus, authentication server and program
CN112417385A (en) Safety control method and system
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
US20170091483A1 (en) Method and Device for Protecting Address Book, and Communication System
WO2012122782A1 (en) Method for obtaining unlock code, and mobile terminal
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
JP6199712B2 (en) Communication terminal device, communication terminal association method, and computer program
CN109145533B (en) Method and device for protecting code by using random password

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180001640.9

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11866062

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11866062

Country of ref document: EP

Kind code of ref document: A1